Why was second factor authentication watered down?

As far as I can remember, two factor authentication was used since the first time I used online banking with BBS like text interface over a 14.4bps modem. Back in the day the second factor was a printed list with numbered codes.
The idea of using different factors is to prevent hackers form accessing your bank account in case they can sniff your password with a trojan keylogger on your system. The factors are generally divided into things you know, things you have and things you are. Hence the categorization of the factors is based on the user interaction. In general it is assumed that everything typed or stored on a multi purpose computing system can be extracted by an attacker. This is why I propose a different categorization farther down. My categorization is based on the threat it protects against.

Things you know (memorized):

  • username
  • password

The fist category is pretty much self explanatory. It is the typical password. Before we had hundreds of accounts, we were able to memorize our passwords. Single factor authentication with only a password is not only problematic because attackers can eavesdrop what we type, but also because computers are increasingly fast at trying different combinations.

Things you are (biometrics):

  • fingerprint
  • face
  • iris
  • veins

In theory biometrics would be the perfect method for authentication. Unfortunately the technical implementations have many weak points. There are countless stories of fooling fingerprint readers with sticky tape or jelly sweets. But even when you couldn’t fool the device itself, as long as the sensors are run on top of a general purpose computing device, the data can be stolen and manipulated. Once the biometric data are stolen, you can’t change a fingerprint or an iris as easily as you can change a password.

Things you have (possess):

  • printed list with codes
  • dedicated device for displaying codes
  • phone for receiving text messages
  • phone for running an app to display codes

This one is only simple at first sight. Lets dissect them a bit closer. For a printed list with codes it is not enough to install a trojan on your system. It generally requires physical access to make a copy of it, but you are not alerted when somebody with physical access makes a copy. As soon as you scan it and save a copy on your computer to make login more convenient for you, it also becomes more convenient for an attacker to steal your credentials. There are even banks who send a pdf with the 2FA codes electronically. As a general rule of thumb: once a secret is stored on a connected general purpose computer, its security is weakened considerably. Thus it is not only important how secret information is stored, but equally important how it was generated and how it was transported.

It may not be equally easy to compromise text messages with every cell operator, but it happened too may times and made this method become almost abandoned. As described above, information stored on connected general purpose computing devices can be extracted. This is an important fact to consider when using authentication apps such as Authy or Google authenticator. These apps are based on TOTP, but the important difference to TOTP hardware devices is how the secret is stored and protected.
That leaves us with dedicated hardware devices. These come in many forms. Some banks have used little TOTP devices for decades. There are devices that operate in conjunction with your plastic debit card and some that scan mosaic codes. What they all have in common is that they display a code that you enter on the logon screen.
And then there is FIDO U2FA. It is a standard that was established in 2014, but didn’t gain the traction yet that it deserves. The FIDO devices store a seed in protected memory, and generate a sub key for every site you want to visit securely, some even display the site you are about to login. This in fact also protects against phishing attempts. Meanwhile most Bitcoin hardware wallets can act as FIDO U2FA devices. But the most widely known and used dedicated 2FA device is surely the YubiKey which comes in a great form factor.

I propose a new categorization of factors:

  • things that a trojan can steal from your computer or smartphone
  • things that a thieve can copy when breaking into your apartment
  • things that can’t be copied and that you would notice immediately when stolen from your keyring

With this categorization, you realize that most snake oil app based 2FA belong into the first category along with good old passwords and password managers. Banking trojans that consist of a part for the computer and a part for the smartphone were around even before those 2FA apps became popular. And this is how you differentiate measures that improve security from security theatre. Security theatre is a term for measures that harass the users to give them a sense of security without really improving security. It only deters the opportunistic casual thieve, but does nothing against the well organized crima gangs. Its essentially all the pain without any gain. That is what 2FA smartphone apps are!

But I don’t want to carry around a device

Security is often a tradeoff with convenience. For me it was always clear that I want to protect every account that I can with the security offered by a dedicated device. But apparently there are enough people who don’t care about security, or simply don’t understand the tradeoffs. When I discovered that the Tesla account was only secured by a password, I was so shocked that I disabled remote access in the car. That was almost three years ago. In the forum discussions there were people arguing against carrying around a security device weighting a few grams. And indeed when Tesla introduced 2FA last week, they use solely TOTP. Whenever I have to use TOTP, I use it with my Yubikey. But still that procedure has one important weakness. When setting it up, the secret is displayed and/or entered on a general purpose computing device that must be connected to the internet. When this device is compromised, the whole 2FA is moot. Hence I will leave my car disconnected for the time being.
Since I have learnt about secure 2FA devices, I want to have all my accounts secured. Hence I switched my main bank account to a bank that supports hardware based 2FA a couple of years ago. Now at my new employer which also happens to be a bank, we use 2FA to logon to some systems. The default is a proprietary app that is only available for iOS and Android. My phones runs PureOS and UBPorts for security reasons. From the internal network, we can use TOTP and even FIDO U2FA. But when logging in from home, only the less secure method with the proprietary app is allowed. I will never understand the reason behind that. I can still work from home. I can access the git repos, but I can’t login to Jira nor Webex. Since I work for a bank now, I have an account with my employer, that has very favorable conditions. But again the 2FA is only possible with a proprietary app that is only available for iOS and Android. This is a real pity. I would love to make more use of that account. But even if that snake oil app was available for any of my phones, I would not deposit a lot, because of the weak security.